How permissions can be abused by malicious apps

Android, as Operating system, provides rich set of features to developers. However, some features are quite dangerous and can harm users. One way to contain that danger is permission system. In order to do something non-trivial on the phone app should obtain appropriate permission. However, users tend to approve permissions requests without understanding consequences.
This post describes how various permissions could be abused. List is not comprehensive in any case, and serves illustration purposes.

android.permission.BIND_ACCESSIBILITY_SERVICE

Intended Use: Write apps that use accesibility service.

How can be abused: Can be abused to spy on users, or perform actions on the phone without, such as silent installations or clicks. Interesting read about such abuse: https://blog.zimperium.com/clicking-bot-applications/

android.permission.ACCESS_COARSE_LOCATION

Intended Use: Access coarse location sources, such as the mobile network database, to determine an approximate phone location, where available.

How can be abused: Malicious applications can use this to determine approximately where you are.

android.permission.ACCESS_FINE_LOCATION

Intended Use: Access fine location sources, such as the Global Positioning System on the phone, where available.

How can be abused: Malicious applications can use this to determine where you are and may consume additional battery power.

android.permission.ACCESS_LOCATION_EXTRA_COMMANDS

Intended Use: Access extra location provider commands.

How can be abused: Malicious applications could use this to interfere with the operation of the GPS or other location sources.

android.permission.ACCESS_MOCK_LOCATION

Intended Use: Create mock location sources for testing.
Intended Use: This allows the app to override the location and/or status returned by other location sources such as GPS or location providers.

How can be abused: Malicious applications can use this to override the location and/or status returned by real-location sources such as GPS or Network providers.

android.permission.BROADCAST_PACKAGE_REMOVED

Intended Use: Allows an application to broadcast a notification that an application package has been removed.

How can be abused: Malicious applications may use this to kill any other application running.

android.permission.BROADCAST_SMS

Intended Use: Allows an application to broadcast a notification that an SMS message has been received.

How can be abused: Malicious applications may use this to forge incoming SMS messages.

android.permission.BROADCAST_STICKY

Intended Use: Allows an application to send sticky broadcasts, which remain after the broadcast ends. These are broadcasts whose data is held by the system after being finished, so that clients can quickly retrieve that data without having to wait for the next broadcast.

How can be abused: Malicious applications can make the phone slow or unstable by causing it to use too much memory.

android.permission.BROADCAST_WAP_PUSH

Intended Use: Allows an application to broadcast a notification that a WAP-PUSH message has been received.

How can be abused: Malicious applications may use this to forge MMS message receipt or to replace the content of any web page silently with malicious variants.

android.permission.CALL_PRIVILEGED

Intended Use: Allows the application to call any phone number, including emergency numbers, without your intervention.

How can be abused: Malicious applications may place unnecessary and illegal calls to emergency services.

android.permission.CHANGE_COMPONENT_ENABLED_STATE

Intended Use: Allows an application to change whether or not a component of another application is enabled.

How can be abused: Malicious applications can use this to disable important phone capabilities. It is important to be careful with permission, as it is possible to bring application components into an unusable, inconsistent or unstable state.

android.permission.DELETE_PACKAGES

Intended Use: Allows an application to delete Android packages.

How can be abused: Malicious applications can use this to delete important applications.

android.permission.DUMP

Intended Use: Allows application to retrieve internal status of the system.

How can be abused: Malicious applications may retrieve a wide variety of private and secure information that they should never normally need.

android.permission.GET_TASKS

Intended Use: Allows application to retrieve information about currently and recently running tasks.

How can be abused: May allow malicious applications to discover private information about other applications.

android.permission.INSTALL_PACKAGES

Intended Use: Allows an application to install new or updated Android packages.

How can be abused: Malicious applications can use this to add new applications with arbitrarily powerful permissions.

android.permission.PROCESS_OUTGOING_CALLS

Intended Use: Allows application to process outgoing calls and change the number to be dialled.

How can be abused: Malicious applications may monitor, redirect or prevent outgoing calls.

android.permission.READ_CALENDAR

Intended Use: Allows an application to read all of the calendar events stored on your phone.

How can be abused: Malicious applications can use this to send your calendar events to other people.

android.permission.READ_CONTACTS

Intended Use: Allows an application to read all of the contact (address) data stored on your phone.

How can be abused: Malicious applications can use this to send your data to other people.

android.permission.READ_SMS

Intended Use: Allows application to read SMS messages stored on your phone or SIM card.

How can be abused: Malicious applications may read your confidential messages.

android.permission.RECEIVE_MMS

Intended Use: Allows application to receive and process MMS messages.

How can be abused: Malicious applications may monitor your messages or delete them without showing them to you.

android.permission.REORDER_TASKS

Intended Use: Allows an application to move tasks to the foreground and background.

How can be abused: Malicious applications can force themselves to the front without your control.

android.permission.SET_DEBUG_APP

Intended Use: Allows an application to turn on debugging for another application.

How can be abused: Malicious applications can use this to kill other applications.

android.permission.SET_PREFERRED_APPLICATIONS

Intended Use: Allows an application to modify your preferred applications.

How can be abused: This can allow malicious applications to silently change the applications that are run, spoofing your existing applications to collect private data from you.

android.permission.SYSTEM_ALERT_WINDOW

Intended Use: Allows an application to show system-alert windows.

How can be abused: Malicious applications can take over the entire screen of the phone.

android.permission.WRITE_CALENDAR

Intended Use: Allows an application to add or change the events on your calendar, which may send emails to guests.

How can be abused: Malicious applications can use this to erase or modify your calendar events or to send emails to guests.

android.permission.WRITE_CONTACTS

Intended Use: Allows an application to modify the contact (address) data stored on your phone.

How can be abused: Malicious applications can use this to erase or modify your contact data.